Privacy Policy (Datenschutzerklärung)

Last updated: January 12, 2026

This Privacy Policy describes how thelawin.dev ("we", "our", "us") collects, uses, and protects your personal data when you use our ZUGFeRD/Factur-X API service.

We are committed to protecting your privacy and handling your data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

thelawin.dev
Stephan Eberle
Bertha-von-Suttner-Str. 27
23843 Bad Oldesloe
Germany

Email: hello@thelawin.dev

2. Scope & Principles

We process personal data in accordance with GDPR principles:

  • Data Minimization: We collect only data necessary for service operation
  • Purpose Limitation: Data is used only for specified purposes
  • Storage Limitation: Data is retained only as long as necessary
  • Integrity & Confidentiality: We implement appropriate security measures
  • Accountability: We document our data processing activities

Key Privacy Feature: Our API is stateless. Invoice data you send to our API is processed in real-time and returned as a PDF. We do NOT store invoice content, amounts, customer data, or other sensitive business information beyond the API request-response cycle.

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address: For account identification and communication
  • Password: Stored as encrypted hash (bcrypt via Devise)
  • Locale preference: Your preferred language (en, de, fr, es, it)
  • Plan: Your subscription level (sandbox, starter, pro)

3.2 API Keys

When you generate API keys, we store:

  • Key hash: SHA256 hash of your API key (not the key itself)
  • Key prefix: First 8 characters for identification (e.g., "env_live_")
  • Environment: Whether the key is for sandbox or live use
  • Name: Optional label you assign to the key
  • Last used: Timestamp of most recent API request
  • Active status: Whether the key is enabled or disabled

3.3 Usage Logs

For billing and service monitoring, we log:

  • Endpoint accessed: Which API endpoint was called (e.g., /v1/generate)
  • Template used: Which PDF template was requested (minimal, classic, compact)
  • Success status: Whether the request succeeded or failed
  • Response time: Processing time in milliseconds
  • Timestamp: When the request occurred

Important: Usage logs do NOT contain invoice data, customer names, amounts, descriptions, or any business-sensitive information from your API requests.

3.4 OAuth Identity Data

If you sign in via OAuth (Google, GitHub, LinkedIn), we store:

  • Provider name: Which service you used to sign in
  • Provider UID: Your unique identifier with that provider
  • Email address: Provided by the OAuth provider
  • Name: Your display name from the provider
  • Avatar URL: Your profile picture URL (if available)
  • Access tokens: For accessing provider APIs on your behalf (encrypted)
  • Refresh tokens: For maintaining OAuth connections (encrypted)

3.5 OAuth Provider Data (Doorkeeper)

If you authorize third-party applications to access our API on your behalf, we store:

  • Application details: Name, redirect URIs, scopes, client ID
  • Access tokens: Tokens issued to third-party apps (automatically expire)
  • Refresh tokens: For token renewal (if granted)
  • Authorization grants: Your consent to specific access scopes

3.6 Billing Data

For paid subscriptions, we store:

  • Stripe Customer ID: Your identifier in Stripe's system

All payment details (credit card numbers, billing addresses) are stored exclusively by Stripe. We never see or store your full payment information.

3.7 Waitlist Data (Pre-Launch)

If you signed up for our pre-launch waitlist:

  • Email address: To notify you when we launch
  • Notification timestamp: When we sent the launch notification

Waitlist emails are deleted within 30 days after sending the launch notification.

3.8 Session & Cache Data

For logged-in sessions, we use:

  • Session cookies: To keep you logged in (Rails encrypted cookies)
  • Solid Cache: Rails 8 server-side cache for temporary data (auto-expires)

4. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR Article 6:

4.1 Contract Performance (Art. 6(1)(b) GDPR)

Processing is necessary to provide our API service, including account management, API key generation, usage tracking, and billing.

4.2 Legitimate Interest (Art. 6(1)(f) GDPR)

We have a legitimate interest in preventing fraud, monitoring service performance, and improving our API based on usage patterns (without accessing your invoice data).

4.3 Consent (Art. 6(1)(a) GDPR)

OAuth connections and waitlist sign-ups are based on your explicit consent. You can withdraw consent at any time.

5. Data Sharing & Third Parties

We share your data only with the following trusted partners:

5.1 Stripe (Payment Processing)

For paid subscriptions, we share your email address and Stripe Customer ID with Stripe Inc. (USA). Stripe processes payment data under a Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs).

Stripe Privacy Policy: https://stripe.com/privacy

5.2 OAuth Providers

If you sign in via Google, GitHub, or LinkedIn, these providers process your authentication data according to their own privacy policies. We only receive the data you authorize them to share with us.

5.3 No Other Third Parties

We do NOT share, sell, or transfer your data to any other third parties, advertising networks, or data brokers.

6. Data Retention

  • Account data: Retained until you delete your account
  • Usage logs: Retained for 12 months for billing verification and fraud prevention
  • API keys: Retained until you explicitly revoke them
  • OAuth tokens: Retained until you disconnect the OAuth connection or delete your account
  • Waitlist emails: Deleted within 30 days after sending launch notification
  • Session data: Auto-expires after 14 days of inactivity
  • Invoice data: NEVER stored - processed in real-time and returned immediately

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you. Contact us at hello@thelawin.dev to request a data export.

7.2 Right to Rectification (Art. 16 GDPR)

You can update your email, password, and locale preference in your account settings. For other corrections, contact us.

7.3 Right to Erasure (Art. 17 GDPR)

You can delete your account and all associated data from your account settings. This will permanently delete your account data, API keys, usage logs, and OAuth connections.

7.4 Right to Data Portability (Art. 20 GDPR)

You can request your data in a machine-readable format (JSON). Contact us for a data export.

7.5 Right to Object (Art. 21 GDPR)

You can object to data processing based on legitimate interests. However, this may prevent us from providing the service.

7.6 Right to Withdraw Consent

You can disconnect OAuth connections or unsubscribe from the waitlist at any time via your account settings or by contacting us.

To exercise any of these rights, contact us at hello@thelawin.dev. We will respond within 30 days.

8. International Data Transfers

Primary Data Storage: All data is stored on servers located in the European Union (Germany).

Stripe (USA): Payment processing data is transferred to Stripe Inc. in the United States under Standard Contractual Clauses (SCCs) approved by the European Commission.

OAuth Providers: If you use Google, GitHub, or LinkedIn to sign in, these providers may store your authentication data outside the EU according to their own policies.

9. Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • TLS Encryption: All connections use HTTPS/TLS 1.3
  • Password Hashing: Passwords are hashed using bcrypt (via Devise)
  • API Key Hashing: API keys are stored as SHA256 hashes
  • OAuth Token Encryption: OAuth tokens are encrypted at rest
  • Regular Updates: We keep our systems and dependencies up to date
  • Access Controls: Only authorized personnel can access infrastructure
  • No Invoice Storage: Invoice data is never written to disk or database

Despite our best efforts, no data transmission over the internet is 100% secure. If you suspect a security breach, contact us immediately at hello@thelawin.dev.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes are tracked in our HISTORY.md file on GitHub.

For material changes that affect your rights, we will notify you via email at least 30 days before the changes take effect. Continued use of the service after notification constitutes acceptance of the updated policy.

11. Contact & Complaints

Data Protection Contact:
Email: hello@thelawin.dev
Address: Stephan Eberle, Bertha-von-Suttner-Str. 27, 23843 Bad Oldesloe, Germany

Right to Lodge a Complaint:
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a supervisory authority.

German Data Protection Authority:
Bundesbeauftragte fĂĽr den Datenschutz und die Informationsfreiheit (BfDI)
https://www.bfdi.bund.de/

EU Data Protection Authorities:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

12. EU Online Dispute Resolution

The European Commission provides a platform for online dispute resolution (ODR): https://ec.europa.eu/consumers/odr/

Back to Home